Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
cidr_match in lookup tables #246
It would be useful to have the ability to perform a cidr_match on the keys of a lookup table.
The goal would be to look up a specific IP in a list of subnets and have the column(s) for the subnet to which that IP belongs returned.
For example, looking up 192.168.7.3 against the following CSV would return 'office':
Currently, a 1:1 match is required for the key such that the subnet would have to be known before the lookup could be performed.
For reference, the Graylog Community thread: https://community.graylog.org/t/mapping-ips-to-subnets/4083
It may also be a solution to use a custom MaxMind DB for this as described here: https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/
But it appears as if Graylog can only use the predefined City and Country MMDB formats for a data adapter.
if you use the processing pipelines for the GEO IP Lookup - with your custom database, you would be able to access that information you add yourself.
Please see how to-do this in this posting: https://blog.reconinfosec.com/geolocation-in-graylog/
With that and your custom DB you would be able to access the information.